Missed opportunity for El Reg...
Article should have been titled "Sophos yells 'me too' and tries to catch up with the rest of the industry".
Security professionals still talk about “antivirus defences,” but in the space of a handful of years what is meant by this term has undergone a dramatic shift. On the surface, things look much as they have always done. Businesses still run what used to be called “AV protection,” reinvented some time ago as the all-purpose “ …
Indeed there are new players. Sophos is definitely taking the 'me too' approach. Take a look at SentinelOne. They're the leading visionary in Gartner's endpoint security magic quadrant published a couple of weeks ago. They provide a single agent that does prevention, detection, forensics, mitigations and remediation. They're the leader everyone is following. And yes I work for them.
I had the opportunity to work with FireEye web and mail appliances a while back - they pop open file attachments (for mail, or just downloads for web) in a sandbox and watch what it does. I'm sure it's not perfect, but it was catching a lot of stuff my then employer's mainstream corporate desktop AV was missing. I gather it's ferociously expensive, although as they just fired a load of sales ppl perhaps that's changed.
I assume that as FE have been doing this for several years now, that competing products doing the same sort of thing are available; I just haven't heard of them.
When testing their new XG UTM, I could still take it down with a silly little ip address.
I don't see manufacturers providing software to authenticate the firmware on their device chips, and I don't see enough people checking the open source code that works with compromised firmware and drivers.
I don't see any of these points being addressed after all these years.
http://www.intelsecurity.com/resources/pr-bios-secure-boot-attacks-uncovered.pdf
http://www.intelsecurity.com/advanced-threat-research/ht_uefi_rootkit.html_7142015.html
When testing their new XG UTM, I could still take it down with a silly little ip address.
I don't understand what this means, could you explain a bit more? Are you talking about handing it traffic with spoofed IPs ? Setting the src IP field to 127.0.0.1? What?
WRT bootkits and embedded microcode, there are in fact various schemes using variations on crypto-signed hashes to check integrity of such microcode. The hot (relatively) "new" unaddressed HW vulnerabilities seem to mostly be around attacks on busses such as USB, SATA, PCI-E &c.
However this is all irrelevant if you're not doing at least basic threat modelling. Bootkits, microcode exploits and suchlike are very unlikely to be used outside of targeted attacks on high value targets by nation state actors; for almost everyone else, there are much easier ways of getting the job done.
The problem as I see it is that if a device is capable of running its own antivirus to protect itself, then logically, it's also capable of running a virus/malware. And if you and I can run the antivirus, then so can the people who make the viruses, which means they'll hammer away at it until it can be worked around.
Well, yes, that is how it works. And then there are those who will blow through half-a-dozen prompts in order to run that malware they received, or even shut off the scanner.
It's always a challenge to defend the benign-and-stupid against the clever-and-malignant. That's what scanners try to do.
Need to use W it's in a VM, nearly always air-gapped and I never save the machine state, so a fresh, pristine install every time.
Maybe the future of computing is destined to load up a hardened OS like Whonix or better and then run your preferred poison and if you think something hinky is going on, for example, fans kick for no reason, processor usage suddenly goes through the roof etc, shut it down and re-start, doesn't take long.
AV is a sign of the failure of Windows security policies.
Where are my switches for starting applications? /nochildspawn /nonetwork /nochangeprivs /nopermwrite /flagsecviolations /noproxyuse /nopublicipaccess /currentdoconly /noforeignmimefiles etc?
Putting in some sensible defaults would kill most security issues, since they are mostly down to users not knowing or caring and being hit by drive-by infections operating at the level of the user. We need to be more fine-grained that than.
Set the security policy to sandbox the application before you start. Maybe even get the OS to add metadata used by the original application security policy when the file was written. These would be worthwhile OS upgrades, not the "Modern" interface.